A serious bug is found in SSH library that lets unauthorized people login without asking for credentials.
PUBLISH DATE: 19-10-2018
A vulnerability in libssh’s server-side state machine before versions 0.7.6 and 0.8.4 could lead to creation of channels without first performing authentication. This way, people with malicious intent can acquire unauthorized access.
LibSSH is possibly the most widely deployed remote access protocol in the world. Unix and Linux servers use SSH for remote administration. SSH stands for secure shell, where the term shell is Unix-speak for a command prompt, the place where most Unix-style functions of system administration are performed. The functions can be performed either by a logged-in human manually, or automatically via a logged-in script.
The vulnerability found in the libSSH can only affect applications that use libssh to implement an SSH server whereas SSH client functionality is not affected. For example, no packages in Red Hat Enterprise Linux 6 and prior use libssh to implement an SSH server and therefore remain unaffected by this vulnerability. Moreover, this issue does not affect libssh2 or openssh.
Since customers and third-party codes use the libssh library, any code using the ssh_bind* functions may be affected by this flaw.
The issue is important because the library is used to create a secure tunnel for encrypted communication between two computers on the internet. Secure file transfer between servers, and secure data synchronization between data centers also make use of the libssh library.
Libssh is used as the SSH server of one giant platform, Microsoft’s GitHub source code repository. The risk of unauthorized access for such platforms using libssh as their SSH server is quite considerable.
The following snap from nakedsecurity shows how a client can successfully login just by talking to the server. The bug confuses the server in a peculiar way, in which the client can tell the server that authentication has been successful, instead of the server giving access to the client after careful verification of credentials.
Libssh server-side state machine before versions 0.7.6 and 0.8.4
This vulnerability has been addressed in libssh versions 0.8.4 and 0.7.6, so it is important to update servers once server distributions release patches. Additionally, if software creators implement the libssh library in server mode, they should update to the latest version of the library.
If you think you’re the victim of a cyber-attack, immediately send an e-mail to firstname.lastname@example.org